DEV Community

Cover image for Secure File Sharing with Azure Storage and Encryption
Jimi
Jimi

Posted on

Secure File Sharing with Azure Storage and Encryption

This blog post will guide you through creating secure shared storage for your application in Microsoft Azure. We'll cover storage account creation, access control with managed identities, and data encryption using Azure Key Vault.

Creating a Secure Storage Account

  1. Search for "Storage Account" in Azure and create one with your desired name and resource group.

    Searching for Storage Account
    Going to Encryption

  2. Enable Infrastructure Encryption for added security at rest.
    Enabling the Encryption

Adding Managed Identity for Access Control

  1. Search for "Managed Identities" and create one within your resource group. Creating managed identity Configuring the Managed Identity
  2. Go to your storage account's Access Control (IAM) settings. Locating the IAM Access Control
  3. Assign the Storage Blob Data Reader role to the managed identity you created. Adding a role assignment Search for storage blob data reader Assignning to Managed identity Searching for the managed identity

Securing Storage with Key Vault and Key

  1. Ensure you have Key Vault Administrator permissions. Assign this role to your user account.
    Navigating back to the storage account
    Locating IAM Control again
    Adding role assignment
    Adding key vault admin role
    Adding role assignment to your user

  2. Search for "Key Vaults" and create one with a name and resource group.
    Creating Key Vault
    Configuring Key Vault
    Changing the Access Configuration

  3. Enable Soft delete and Purge protection for additional security.
    Checking soft-delete and purge protection enabled

  4. Generate a new key within the Key Vault.

    Generating the key
    Creating the key

Configuring Storage Account to Use Key Vault Key

  1. In your resource group's IAM settings, assign the Key Vault Crypto Service Encryption User role to your managed identity. Searching for the key vault crypto role Assigning the role to your identity
  2. Go to your storage account's Encryption settings and configure it to use the customer-managed key from your Key Vault. Locating Encryption in the Storage Account Configuring the Encryption
  3. Select the managed identity you created to give it access to the key. Selecting the key

Setting Retention Policy and Encryption Scope

  1. Create a container named "hold" within your storage account. Locating Container
  2. Upload a file to the container. Uploading a file to the container
  3. Set a time-based retention policy on the container to prevent accidental deletion for a specified period (e.g., 5 days). Locating Access Policy of the Container Creatign an imutable policy
  4. Create an encryption scope within your storage account for additional infrastructure-level encryption. Creating the encryption scope

Conclusion

By following these steps, you've created a secure shared storage solution in Azure. You've leveraged managed identities for access control, secured data with Azure Key Vault, and implemented retention policies and encryption scopes for enhanced protection. Remember to clean up your resources after following this guide in a non-production environment.

Top comments (0)